William Leese wrote:
Hi,
Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
I'm not getting anywhere.
The version I have installed:
ipa-server-3.0.0-26.el6_4.4.x86_64
This is what I run:
ipa-server-install -U -a testtest -p testtest
--external_cert_file=/root/server.pem
--external_ca_file=/root/cacert.pem -p testtest -P testtest -r
MELTWATER.COM <http://MELTWATER.COM>
Which runs this as part of the process:
/usr/bin/pkisilent ConfigureCA -cs_hostname
vagrant-centos-6.meltwater.com <http://vagrant-centos-6.meltwater.com>
-cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd
testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user
admin -admin_email root@localhost -admin_password testtest -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM
<http://MELTWATER.COM> -ldap_host vagrant-centos-6.meltwater.com
<http://vagrant-centos-6.meltwater.com> -ldap_port 7389 -bind_dn
cn="Directory Manager" -bind_password testtest -base_dn o=ipaca -db_name
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name "CN=CA
Subsystem,O=MELTWATER.COM <http://MELTWATER.COM>"
-ca_subsystem_cert_subject_name "CN=CA Subsystem,O=MELTWATER.COM
<http://MELTWATER.COM>" -ca_ocsp_cert_subject_name "CN=OCSP
Subsystem,O=MELTWATER.COM <http://MELTWATER.COM>"
-ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com
<http://vagrant-centos-6.meltwater.com>,O=MELTWATER.COM
<http://MELTWATER.COM> -ca_audit_signing_cert_subject_name "CN=CA
Audit,O=MELTWATER.COM <http://MELTWATER.COM>" -ca_sign_cert_subject_name
"CN=Certificate Authority,O=MELTWATER.COM <http://MELTWATER.COM>"
-external true -ext_ca_cert_file /root/server.pem
-ext_ca_cert_chain_file /root/cacert.pem
All this results in this in the log:
<errorString>Failed to create pkcs12 file.</errorString>
[snip]
Error in BackupPanel(): updateStatus value is null
ERROR: ConfigureCA: BackupPanel() failure
ERROR: unable to create CA
Interestingly adding the option -save_p12 false to the pkisilent command
above results in:
importCert string: importing with nickname: ipa-ca-agent
Already logged into to DB
ERROR:exception importing cert Security library failed to decode
certificate package: (-8183) security library: improperly formatted
DER-encoded message.
ERROR: AdminCertImportPanel() during cert import
ERROR: ConfigureCA: AdminCertImportPanel() failure
ERROR: unable to create CA
While the option change seemed innocent, I honestly don't know if its
crucial to the install or not. Anyhow, things don't really progress anyway.
I followed the documentation by signing the /root/ipa.csr with a test,
internal CA but somehow I can't get the install to proceed.
[root@vagrant-centos-6 CA]# cat /root/server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
CN=vagrant.localdomain/emailAddress=t...@t.com <mailto:t...@t.com>
Validity
Not Before: Nov 6 05:12:09 2013 GMT
Not After : Nov 6 05:12:09 2014 GMT
Subject: O=MELTWATER.COM <http://MELTWATER.COM>, CN=Certificate
Authority
[snip]
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL
MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM
A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ
[snip]
[root@vagrant-centos-6 CA]# cat /root/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM
MAoGA1UECwwDb3BzMRwwGgYD
[snip]
Any help would be welcome.
I'd look in /var/log/pki-ca/debug for additional error information.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
